GDB (150pts)
GDB-an yuk, bray!
Connect: nc 103.200.7.150 9977
Connect: nc 103.200.7.150 9977
v Deskripsi
Tantangan kali ini kita di beri akses ke sebuah server 103.200.7.150 port 9977
v Penyelesaian
Melakukan nc 103.200.7.150 9977
[-] Welcome to the virtual GDB [-]
Available command: [ cat, ls, gdb ]
ls
bin
deployer
dev
lib
lib32
lib64
rev_me
usr
Diserver itu cuman diberi command cat, ls, gdb, dari ls kita menemukan dua buah file binary rev_me dan deployer, tantangan ini targetnya rev_me, langsung kita lakukan gdb terhadap rev_me
(gdb) disass main
No symbol table is loaded. Use the "file" command.
Nampaknya tak semudah itu, kita coba info files
(gdb) info files
Symbols from "/rev_me".
Local exec file:
`/rev_me', file type elf64-x86-64.
Entry point: 0x400600
0x0000000000400238 - 0x0000000000400254 is .interp
0x0000000000400254 - 0x0000000000400274 is .note.ABI-tag
0x0000000000400274 - 0x0000000000400298 is .note.gnu.build-id
0x0000000000400298 - 0x00000000004002c0 is .gnu.hash
0x00000000004002c0 - 0x00000000004003b0 is .dynsym
0x00000000004003b0 - 0x0000000000400429 is .dynstr
0x000000000040042a - 0x000000000040043e is .gnu.version
0x0000000000400440 - 0x0000000000400470 is .gnu.version_r
0x0000000000400470 - 0x00000000004004b8 is .rela.dyn
0x00000000004004b8 - 0x0000000000400560 is .rela.plt
0x0000000000400560 - 0x000000000040057a is .init
0x0000000000400580 - 0x0000000000400600 is .plt
0x0000000000400600 - 0x00000000004008b2 is .text
0x00000000004008b4 - 0x00000000004008bd is .fini
0x00000000004008c0 - 0x000000000040094f is .rodata
0x0000000000400950 - 0x0000000000400984 is .eh_frame_hdr
0x0000000000400988 - 0x0000000000400a7c is .eh_frame
0x0000000000600e10 - 0x0000000000600e18 is .init_array
0x0000000000600e18 - 0x0000000000600e20 is .fini_array
0x0000000000600e20 - 0x0000000000600e28 is .jcr
0x0000000000600e28 - 0x0000000000600ff8 is .dynamic
0x0000000000600ff8 - 0x0000000000601000 is .got
0x0000000000601000 - 0x0000000000601050 is .got.plt
0x0000000000601050 - 0x0000000000601060 is .data
0x0000000000601060 - 0x0000000000601078 is .bss
Ok kita disass .text dengan cara disass 0x0000000000400600 , 0x00000000004008b2, sebelumnya kita set terlebih dahulu tampilan disassemblynya ke intel dengan set disassembly-flavor intel.
Kita break pada cmp address lagi terutama yang setelah fungsi fgets.
0x00000000004007ca: cmp dl,al
0x00000000004007d9: cmp eax,0xa
0x00000000004007de: cmp DWORD PTR [rbp-0x38],0xb
Dan tambahkan define hook-stop untuk mempermudah proses debuging
define hook-stop
Info register
x/5i $rip
End
Break point pertama
=> 0x4007ca: cmp dl,al
0x4007cc: jne 0x4007d2
0x4007ce: add DWORD PTR [rbp-0x38],0x1
0x4007d2: add DWORD PTR [rbp-0x34],0x1
0x4007d6: mov eax,DWORD PTR [rbp-0x34]
Breakpoint 1, 0x00000000004007ca in ?? ()
(gdb) x/wx $dl
0x61: Cannot access memory at address 0x61
(gdb) x/wx $al
0x67: Cannot access memory at address 0x67
Inputan kita harus sama dengan ‘g’ kita teruskan menggantinya
Sehinggal kita mendapat gdb_is_okay
Kita tes untuk menjalankan programnya
./rev_me
[x] Welcome to the Jungle - SlashRoot Hacking Departement [x]
[+] Login : gdb_is_okay
Mantap, flagnya: SlashRootCTF{gdb_is_okay}!
Flag pada tantangan kali ini SlashRootCTF{gdb_is_okay}
0 comments:
Post a Comment